ECSO recommendations for European cyber security operation centres and threat intelligence

ECSO’s new position paper of the ECSO Task Force focuses on the European cyber security operation centres and threat intelligence (ECSOCTI). ECSO Members consider the upcoming call of the Digital Europe Programme on Security Operation Centre capacity building and Cyber Threat Intelligence as a great opportunity to strengthen European Digital Sovereignty and Strategic Autonomy and boost the further development of European competencies in this area. This call also gives a chance to overcome the existing market fragmentation and accelerate cooperation between European stakeholdersfrom the private and public sectors to prevent, detect and respond to cyber threats. This paper highlights crucial elements that contribute to the achievement of the above-mentioned goals.

Key observations and recommendations:

• In the current geopolitical situation, SOCs are urgently needed to detect attacks against European networks. 
• Strong participation of the private sector and sectoral-driven cooperation should be seen as a cornerstone of the robust SOC and CTI ecosystem. New initiatives on SOCs and CTI should leverage on existing solutions and bridge the information gap between the private and public sector by federating existing SOCs and CTI platforms.
• When developing SOC capabilities, it is recommended to take a holistic approach. Effective SOC solutions should not only help to protect internal organisations’ resources but also ensure resilience of the entire supply chain. This is why mechanisms for secure information exchange and broader cooperation within the ecosystem must be promoted.
• SOCs and CTI serve as equally important elements of strong cybersecurity. While the former concentrates mainly on detection, the latter offers prediction capabilities, and their close alignment is crucial to effectively combat cyber threats. Significant investments are needed in both domains as well as the creation of mechanisms to promote cooperation between them.
• Utilisation of innovative technologies, including, but not limited to, Artificial Intelligence (AI) or Machine Learning (ML) that will strengthen SOCs capabilities and contribute to improved benefits for all stakeholders involved. For instance, AI can be used to analyse data coming from various sources (including from member SOCs), identify the most popular attack tactics and enable the creation of a real-time heat map that serves as an EU-wide Threat Model. Also, data science-based solutions and technologies have a potential to increase the effectiveness of the threat analysis.
• While innovative technologies are important for SOCs, highly skilled people are still essential. The human element is fundamental to the overall success of both SOCs and CTI and as such should be significantly strengthened. This is especially important as SOC providers face severe shortages in skilled and well-trained manpower responsible for processing intensively growing volumes of security alerts. Investments in in specialised education and training are urgently needed to face a rapidly evolving threat landscape. 
• The creation of a trust-based European Cybersecurity Threat Intelligence Alliance could provide EU-wide information gathering, processing, and sharing. Such an Alliance could benefit from a dedicated European fund to support European CTI service providers and constitute the backbone of CTI sharing in Europe, combining information from public and private actors to better predict upcoming attacks, creating the needed link for best exploitation of data coming from the newly created SOCs network. To better develop the public – private cooperation, the Alliance would coordinate with the Network of National Coordination Centres and the other envisaged or existing European institutional initiatives (e.g. Network of CSIRTs, ENISA, Joint Cyber Unit, etc.). With its years of experience and a proven record of creating cybersecurity communities in Europe, ECSO would use its network, skills, and know-how to develop a European CTI ecosystem creating and coordinating such an Alliance, building upon its established suppliers and users communities, reaching in a short term and with limited effort the envisaged objectives.
• The value of the performed CTI analysis is directly linked to the quantity and the quality of the ingested data. Data and information sharing between members of the Alliance should be incentivised to unlock the potential of European cooperation. Common data formats should be envisaged to facilitate CTI exchange.
• Trustful cooperation and dissemination of data can be reinforced by: 

– The possible utilisation of innovative technologies and Distributed Ledger Technology (DLT) such as blockchain-enabled frameworks (serving among others to securely authenticate and authorise entities that provide raw data)

– The creation of mechanisms allowing to accept only vetted members

– The implementation of access controls and innovative solutions helping to maintain security and privacy but at the same time enabling information sharing. 

• The information sharing process will require the development of a unified approach toward data sharing models: a common framework, interoperability standards, taxonomy, and agreed protocols. While some good practices exist, an alignment of the joint approach should be achieved.

Read the full paper here.